Employees empowered with the resources and knowledge to protect your organization from cyberthreats is one of the best lines of defense you can have.
One focus of employee online safety education should include debunking commonly quoted cybersecurity misconceptions. This list – assembled by the National Cybersecurity Alliance, in collaboration with public and private partners – is based on the experiences of business leaders and employees from across the United States.
#1: My data (or the data I have access to) isn’t valuable
Organizations of all sizes maintain, or have access to, valuable data worth protecting. Such data may include but is not limited to employment records, tax information, confidential correspondence, point of sale systems, business contracts. All data is valuable.
Take Action: Assess the data you create, collect, store, access, transmit and then classify that data by its level of sensitivity so you can take appropriate steps to protect it. Learn more about how to do this.
#2: Cybersecurity is a technology issue
Organizations cannot rely on technology to secure their data. Cybersecurity is best approached with a mix of employee training, clear and accepted policies and procedures, and implementation of up to date technologies such as antivirus and anti-malware software. Cybersecuring an organization is the responsibility of the entire workforce, not just the IT staff.
Take Action: Educate every single employee (in every function and at every level of the organization) on their responsibility to help protect all business information. Learn more about how to do this with the National Institute for Standards and Technology guide.
#3: Cybersecurity requires a large financial investment
A robust cybersecurity strategy does require a financial commitment if you are serious about protecting your organization. However, there are many steps you can take that require little or no financial investment.
Take Action: Create and institute cybersecurity policies and procedures; restrict administrative and access privileges; enable multi-factor or 2-factor authentication; train employees to spot malicious emails and create backup manual procedures to keep critical business processes in operation during a cyber incident. Such procedures may include processing payments in the case a third party vendor or website is not operational. Learn more about how to do this using NCA’s “Quick Wins” tip sheet.
#4: Outsourcing work to a vendor will wash your hands of security liability in the case of a cyber incident
It makes complete sense to outsource some of your work to others, but it does not mean you relinquish responsibility for protecting the data a vendor has access to. The data is yours and you have a legal and ethical responsibility to keep it safe and secure.
Take Action: Make sure you have thorough agreements in place with all vendors, including how company data is handled, who owns the data and has access to it, how long the data is retained and what happens to data once a contract is terminated. You should also have a lawyer review any vendor agreements. Learn more about how to do this with this American Bar Association list.
#5: Cyber breaches are covered by general liability insurance
Many standard business liability insurance policies do not cover cyber incidents or data breaches.
Take Action: Speak with your insurance representative to understand if you have any existing cybersecurity insurance and what type of policy would best ﬁt your company’s needs. Learn more about how to do this with the Federal Trade Commission’s (FTC) Small Business Center.
#6: Cyberattacks always come from external actors
Succinctly put, cyberattacks do not always come from external actors. Some cybersecurity incidents are caused accidentally by an employee – such as when they copy and paste sensitive information into an email and send it to the wrong recipient. Other times, a disgruntled (or former) employee might take revenge by launching an attack on the organization.
Take Action: When considering your threat landscape, it is important not to overlook potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats. Learn more about how to do this using this Cybersecurity and Critical Infrastructure Agency resource.
#7: Young people are better at cybersecurity than others
Oftentimes, the youngest person in the organization becomes the default “IT” person. Age is not directly correlated to better cybersecurity practices.
Take Action: Before giving someone responsibility to manage your social media, website, network, etc., educate them on your expectations of use and cybersecurity best practices. Learn more about how different generations behave online.
#8: Compliance with industry standards is enough for a security program
Complying with the Health Insurance Portability & Accountability Act (HIPAA) or Payment Card Industry (PCI), for example, is a critical component to securing sensitive information, but simply complying with these standards does not equate to a robust cybersecurity strategy for an organization.
Take Action: Use a robust framework, such as the NIST Cybersecurity Framework, to manage cybersecurity-related risk. Learn more about the NIST Cybersecurity Framework.
#9: Digital and physical security are separate
Many people narrowly associate cybersecurity with only software and code. However, when protecting your sensitive assets you should not discount physical security.
Take Action: Include an assessment of your office’s layout and how easy it is to gain unauthorized physical access to sensitive information and assets (e.g. servers, computers, paper records) in your planning. Once your assessment is completed, implement strategies and policies to prevent unauthorized physical access. Policies may include controlling who can access certain areas of the office and appropriately securing laptops and phones while traveling. Learn more about physical security on the FTC’s website.
#10: New software and devices are automatically secure when I buy them
Just because something is new, doesn’t mean it’s secure.
Take Action: The moment you purchase new technology, make sure it is operating with the most current software and immediately change the manufacturer’s default password to a secure passphrase. When creating a new passphrase, use a lengthy, unique phrase for the account or device. Sign up for a new online account? Be sure to immediately configure your privacy settings before you begin using the service. Find information on securing new devices.
View and download a condensed version of this content you can share around your business and with your networks.